Surveillance webinar Wednesday 3 May 12 pm Surveillance

Surveillance webinar Wednesday 3 May 12 pm

Surveillance Webinar

Benefits Privacy

The eight data protection principles

Privacy impact assessments - a risk based, proportionate approach What? When? Why? NOT JUST A CHECKLIST AT THE VERY BEGINNING IDENTIFY RISKS & MITIGATE

ICO code of practice Designed to help those who use surveillance cameras to collect personal data to stay within the law. https: //ico. org. uk/media/fororganisations/documents/154 2/cctv-code-of-practice. pdf

Continuous recording

Use of audio

Have you told individuals what you’re doing? https: //ico. org. uk/fororganisations/guide-todata-protection/privacynotices-transparency-andcontrol

Principle seven – security Appropriate technical & organisational measures

Other considerations • What else do I need to consider? o governance o disclosures

Case Studies

Good Practice

Compliant use of surveillance What’s the purpose and would you be capturing images you actually need? Is there an alternative to surveillance? How long are you holding the footage for? Can (only) the appropriate people have access to it? How do you provide fair processing to clearly explain that recording is taking place? Is the footage and system secure?

An effective PIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur. PIAs are an integral part of taking a privacy by design approach https: //ico. org. uk/media/fororganisations/documents/1595 /pia-code-of-practice. pdf

https: //www. gov. uk/government/organisations/surveillance-camera-commissioner

Data protection reforms

Implement data protection by design and default (Art 25). • Pseudonymisation • Transparency • Data minimisation

Use data protection impact assessments where appropriate (Art 35). Necessary where • • • …the processing is likely to result in a high risk to the rights and freedoms of individuals, especially where the processing activity involves the use of new technologies. where processing involves a high level of profiling, or large scale use of surveillance, Where processing involves large scale processing of special categories of PD, or data relating to crime

Security requirements Pseudonymisation and encryption – specifically mentioned as security measures. You must be able to ensure the confidentiality, integrity, availability and resilience of your systems. The ability to restore the availability of and access to data in a timely manner. Have a process to test, assess and evaluate the effectiveness of the measures you have in place.

Designation of a DPO Article 37(1) of the GDPR requires the designation of a DPO in three specific cases: a) where the processing is carried out by a public authority or body; b) where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences. • Article 37 also applies to processors

ico. org. uk/dpreform

Any Questions? Helpline: 0303 123 1313 Keep in touch by subscribing to our e-newsletter at www. ico. org. uk or find us on… • www. twitter. com/icone ws